U.S. Department of the Interior 
PRIVACY IMPACT ASSESSMENT 





Introduction 


The Department of the Interior requires PIAs to be conducted and maintained on all IT systems whether 
already in existence, in development or undergoing modification in order to adequately evaluate privacy 
risks, ensure the protection of privacy information, and consider privacy implications throughout the 
information system development life cycle. This PIA form may not be modified and must be completed 
electronically; hand-written submissions will not be accepted. See the DOI PIA Guide for additional 
guidance on conducting a PIA or meeting the requirements of the E-Government Act of 2002. See 
Section 6.0 of the DOI PIA Guide for specific guidance on answering the questions in this form. 


NOTE: See Section 7.0 of the DOI PIA Guide for guidance on using the DOI Adapted PIA template to 
assess third-party websites or applications. 


Name of Project: Indian Arts and Crafts Board Model (IACBM) System 
Bureau/Office: Office of the Secretary 

Date: July 9, 2018 

Point of Contact: 

Name: Teri Barnett 

Title: Departmental Privacy Officer 

Email: DOI Privacy@ios.doi.gov 

Phone: 202-208-1605 

Address: 1849 C Street NW, Room 7112, Washington, DC 20240 


Section 1. General System Information 
A. Isa full PIA required? 


Yes, information is collected from or maintained on 
Members of the general public 
O Federal personnel and/or Federal contractors 
O Volunteers 
Oo All 


O No: Information is NOT collected, maintained, or used that is identifiable to the individual in 
this system. Only sections 1 and 5 of this form are required to be completed. 


B. What is the purpose of the system? 


The Department of the Interior (DOJ) Indian Arts and Crafts Board (IACB) is responsible for 
oversight and implementation of the Indian Arts and Crafts Act of 1990 (IACA), a truth-in- 
advertising law that prohibits misrepresentation in marking of Indian arts and crafts products. 
The IACB promotes the economic development of American Indians and Alaska Natives of 
federally recognized Tribes through the expansion of the Indian arts and crafts market, and 
produces a Source Directory of American Indian and Alaska Native Owned and Operated Arts 
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and Crafts Businesses. The IACB uses the Indian Arts and Crafts Board Model (IACBM), 
which consist of two Microsoft Access databases, to support their responsibilities under the 
IACA - the IACB Act Tracking database and the IACB Source Directory. 


The IACB receives complaints from individuals about possible [ACA violations and tracks 
violations through the IACB Act Tracking database. The IACB Act Tracking database is a 
system used to report and track Act violation cases. Individuals can report a violation via regular 
mail or online by submitting an online report through the IACB website: 


https://www.doi.gov/iacb/should-i-report-potential-violation. 


The IACB Source Directory is a Microsoft Access database of American Indian and Alaska 
Native Owned and Operated Arts and Crafts Businesses that promotes American Indian and 
Alaska Native arts and crafts. The Source Directory is used to maintain information on participant 
business listings and to promote the economic development of American Indians and Alaska 
Natives of federally recognized tribes through the expansion of the market for authentic Indian 
arts and crafts. This service is provided free of charge to members of federally recognized 
Tribes including American Indian and Alaska Native artists and craftspeople, cooperatives, 
Tribal arts and crafts enterprises, businesses privately-owned and-operated by American Indian 
and Alaska Native artists, designers, and craftspeople, and businesses privately-owned and 
operated by American Indian and Alaska Native merchants who retail and/or wholesale authentic 
Indian and Alaska Native arts and crafts. Provision of information for listing in Source Directory 
is voluntary. The Source Directory website can be accessed on the IACB website: 
https://www.doi.gov/iacb/source-directory. 





. What is the legal authority? 


Indian Arts and Crafts Act Public Law 101.644, The Indian Arts and Crafts Act of 1990; Public 
Law 106- 497, The Indian Arts and Crafts Enforcement Act of 2000; Public Law 111—211, The 
Indian Arts and Crafts Amendments Act of 2010; 25 U.S.C. 305, Indian Arts and Crafts Board; 
creation and composition; per diem payments; 18 U.S.C. 1159, Misrepresentation of Indian 
produced goods and products; and 25 CFR 309, Protection of Indian Arts and Crafts Products. 


. Why is this PIA being completed or modified? 


O New Information System 

O New Electronic Collection 

Existing Information System under Periodic Review 
O Merging of Systems 

O Significantly Modified Information System 

O Conversion from Paper to Electronic Records 

O Retiring or Decommissioning a System 

O Other: Describe 


The IACB is conducting this PIA to assess the privacy risks for use of both databases that are 
part of the IACBM. 
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E. Is this information system registered in CSAM? 


O Yes: Enter the UII Code and the System Security Plan (SSP) Name 
No 


F. List all minor applications or subsystems that are hosted on this system and covered under 
this privacy impact assessment. 

















Subsystem Name Purpose Contains PII Describe 
(Yes/No) If Yes, provide a 
description. 
None None No N/A 











G. Does this information system or electronic collection require a published Privacy Act 
System of Records Notice (SORN)? 


Yes: List Privacy Act SORN Identifier(s) 


DOI-24, Indian Arts and Crafts Board, system of records notice, 80 FR 27700, May 14, 2015. 
DOI system of records notices may be viewed on the DOI SORN website at: 


https://www.doi.gov/privacy/sorn. 


O No 
H. Does this information system or electronic collection require an OMB Control Number? 
Yes: Describe 


The Indian Arts and Crafts Board Source Directory Business Listing Application, OMB # 1085- 
0001, Expires 4/30/2021. 


O No 


Section 2. Summary of System Data 
A. What PII will be collected? Indicate all that apply. 


Name 

Social Security Number (SSN) 
Personal Cell Telephone Number 
Gender 

Tribal or Other ID Number 

Birth Date 

Personal Email Address 

Home Telephone Number 
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Other Names Used 

Law Enforcement 

Employment Information 
Mailing/Home Address 
Race/Ethnicity 

Other: Specify the PII collected. 


This system consists of records created or compiled during the management and oversight of 
IACB activities including records relating to Native American arts and crafts and law 
enforcement records. The purpose of the Act Tracking system is to report and track violations so 
the system may include records related to referrals for law enforcement investigations. Actual 
law enforcement investigation records and results of investigations are maintained outside of the 
IACBM in hard copy form or in other law enforcement systems. The IACB website contains a 
form to report violations that are tracked in the IACB Act Tracking system. Potential Violator 
name, address, email address, and website address are required for the Act tracking system, as 
well as dates of the violation(s) and related information. Referrals may include sensitive 
information on individuals including names on subject of investigation, contact information, 
tribal affiliation, description or distinguishing attributes of an individual, or other information 
provided by the source of the report. 


The Source Directory requires the business owner’s tribal enrollment card to verify the business 
owner is enrolled in a federally recognized tribe. Identified below are other PII data that may be 
provided by business owners for verification purposes: type of organization, hours/season of 
operation, internet web address, social media, main categories of products, retail or wholesale 
products, mail order and/or catalog, price list information, signed certification that the business is 
an American Indian or Alaska Native-owned and operated cooperative, tribal enterprise, or 
nonprofit organization, copy of documents showing that the organization is formally organized 
under tribal, state or federal law, and a signed certification that the owner of the business is a 
member of a federally recognized tribe. 


. What is the source for the PII collected? Indicate all that apply. 


Individual 

O Federal agency 

O Tribal agency 

O Local agency 
DOI records 

O Third party source 
O State agency 

O Other: Describe 


. How will the information be collected? Indicate all that apply. 
Paper Format 


Email 
Face-to-Face Contact 
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Web site 

Fax 

Telephone Interview 

O Information Shared Between Systems 
Other: Describe 


For the Act Tracking system- Individuals may mail, email, or report an alleged Act violation 
online via the “Report a Potential Violation“ webpage to the IACB to include name of potential 
violator, date of incident, description of incident, advertisements, catalogs, business cards, or 
photos, business name, and contact information. Information may also be derived from 
individuals who walk into or call IACB offices to report a potential violation. 


Source Directory- Individuals can submit forms via regular mail or fax to provide information 
such as proof of eligibility documents as a requirement for listing business into the Source 
Directory. 


. What is the intended use of the PII collected? 


The Act Tracking system is needed to track Act complaint cases that the IACB receive from the 
public about possible violations of the IACA of 1990. 


Source Directory PII data is used to compile, and manage a comprehensive and accurate list of 
all American Indian and Alaska Native arts and crafts businesses. This PII data is also used to 
determine whether an individual or business meets the requirements for listing and post their 
information to the online directory. Providing information for the directory is voluntary and 
individuals have the option to withhold comments they do not want posted. 


. With whom will the PII be shared, both within DOI and outside DOI? Indicate all that 
apply. 


Within the Bureau/Office: Describe the bureau/office and how the data will be used. 


Access to the IACBM system is only granted to authorized DOI IACB staff with an official 
“need-to-know” to perform their duties. 


Other Bureaus/Offices: Describe the bureau/office and how the data will be used. 


Access to the IACBM system is only granted to authorized DOI IACB staff with an official 
“need-to-know” to perform their duties 


Other Federal Agencies: Describe the federal agency and how the data will be used. 
The IACB can refer potential Act violations to the Department of Justice for prosecution and to 


resolve Act complaints, and to other Federal agencies and law enforcement authorities to initiate 
investigations, criminal proceedings, or civil actions related to alleged Act violations as 
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permitted in the routine uses outlined in the DOI-24, Indian Arts and Crafts Board, system of 
records notice. 


Tribal, State or Local Agencies: Describe the Tribal, state or local agencies and how the data 
will be used. 


The IACB can refer potential Act violations to State Attorney General Offices for possible Act 
violation prosecution and to resolve Act complaints. 


O Contractor: Describe the contractor and how the data will be used. 
Other Third Party Sources: Describe the third party source and how the data will be used. 


“Source Directory State and Country Listings” information is publically available on the IACB 
Source Directory website at https://www.doi.gov/iacb/state-and-country-listings for the public to 
view and purchase art and craftwork directly from those listed businesses if they choose to. 


. Do individuals have the opportunity to decline to provide information or to consent to the 
specific uses of their PII? 


Yes: Describe the method by which individuals can decline to provide information or how 
individuals consent to specific uses. 


Individuals have the option to remain anonymous when reporting potential Act violation or 
complaints to the IACB. 


Participants of the Source Directory voluntarily choose the information they want to share in their 
online listing which is the same information maintained in the database. For example, members 
may choose to provide the IACB with a cell number and no other contact information. 


No: State the reason why individuals cannot object or why individuals cannot give or 
withhold their consent. 


Individuals under investigation for potential Act violations do not have the opportunity to 
provide information or consent to the use of their information during the course of an 
investigation. 


Providing PII data for Source Directory listing is voluntary, however individuals and /or business 
owners are required to provide proof of eligibility as federally recognized American Indian and 


Alaska Native owned and operated arts and crafts businesses. 


. What information is provided to an individual when asked to provide PII data? Indicate 
all that apply. 


Privacy Act Statement: Describe each applicable format. 





I. 
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A Privacy Act Statement is posted on the IACB Report of Potential Violation form. 


This information is being collected under 25 U.S.C. § 305, 18 U.S.C. § 1159, and 25 CFR Part 
309 for the purpose of investigating potential violations of the Indian Arts and Crafts Act of 
1990. The Indian Arts and Crafts Board may use this information to refer potential violations to 
appropriate law enforcement organizations to investigate goods falsely represented and marketed 
as authentic Indian produced arts and crafts. Information may be disclosed to the Department of 
Justice for the prosecution of possible Act violations and to other organizations as a routine use 
published in the DOI-24, Indian Arts and Crafts Board system of records notice (80 FR 27700, 
May 14, 2015), which may be viewed at https://www.doi.gov/privacy/sorn. 





Furnishing this information is voluntary. Under the specific authority provided by 5 U.S.C. 
552a(k)(2), the Department of the Interior has adopted a regulation, 43 CFR 2.254(b), which 
exempts this system from the provisions of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4), (G), (H) and 
(1), and (f) and the portions of 43 CFR, Part 2, Subpart K that implement these provisions. This 
means that the information that you provide regarding a potential violation of the Indian Arts and 
Crafts Act will remain confidential. 


Privacy Notice: Describe each applicable format. 

Privacy notice is also provided through the publication of this privacy impact assessment and the 
published DOI-24: Indian Arts and Crafts Board system of records notice (80 FR 27700, May 
14, 2015), which may be viewed at https://www.doi.gov/privacy/sorn. 


O Other: Describe each applicable format. 


O None 


. How will the data be retrieved? List the identifiers that will be used to retrieve information 


(e.g., name, case number, etc.). 

The information for the Act tracking system can be retrieved by case number, open/closed status, 
complainant name, possible offender name, date of complaint, and state. The Source Directory 
information can be retrieved by first or last name, business name, tribal affiliation, and state. 
Will reports be produced on individuals? 

Yes: What will be the use of these reports? Who will have access to them? 

Individual case reports are printed out and put in the paper file for use in investigation and 
enforcement actions related to violation of the Indian Arts and Crafts Act. These files are locked 


and only staff members with a “need-to-know” have access to the files. 


Xx] No 
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The Source Directory Access database is used to produce mailing labels to send information to 
the Source Directory participants about their listings. For example we would pull their addresses 
to send an inquiry to review and provide current business listings. 


Section 3. Attributes of System Data 
A. How will data collected from sources other than DOI records be verified for accuracy? 


Data provided by individuals for alleged Act violation cases go through an investigation per 
policy and procedures defined by the IACB. Source Directory PII provided for inclusion in the 
database such as business name and contact information is not verified, however the Source 
Directory requires the business owner’s tribal enrollment card is used to verify business owner is 
enrolled in a federally recognized tribe. 


B. How will data be checked for completeness? 


Alleged Act violation cases go through an investigation process defined by the IACB that 
ensures information is accurate and complete. For the Source Directory database, the IACB 
contacts participants in the Source Directory to review and update their listings. 


C. What procedures are taken to ensure the data is current? Identify the process or name the 
document (e.g., data models). 


Information related to investigations for the Act Tracking information system is current at the 

time of the investigation on potential violations through established processes defined by the 
IACB. For the Source Directory database, the [ACB every few years reaches out to all participants 
in the Source Directory sending them a copy of their listing for review and updates. 


D. What are the retention periods for data in the system? Identify the associated records 
retention schedule for the records in this system. 


There is currently no approved retention schedule for the Act or Source Directory information. 
They are considered Unscheduled and must be treated as permanent records to be retained 
indefinitely until assigned a disposition authority approved by the National Archives and 
Records Administration. The IACB is working with DOI records management officials on a 
proposed records schedule for the IACBM records. 


E. What are the procedures for disposition of the data at the end of the retention period? 
Where are the procedures documented? 


Not applicable. 
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F. Briefly describe privacy risks and how information handling practices at each stage of the 
“information lifecycle” (i.e., collection, use, retention, processing, disclosure and 
destruction) affect individual privacy. 


There is a privacy risk to individuals in the Act Tracking system due to the amount and nature of 
the information that may be received from members of the public reporting alleged Act 
violations maintained in the system. There is a risk that names of individuals or organization 
who may not be falsely representing or marketing authentic Indian arts and crafts may be 
included in this database. This risk is mitigated by investigating all alleged Act violations 
reported to the IACB. 


There is a risk that unauthorized persons could potentially gain access to the PII on the system. 
This risk is mitigated by placing the Act Tracking system on a restricted office shared drive, and 
granting access to IACB personnel with an authorized “need-to-know” based on least privilege 
to perform official duties. The Source Directory files are located on the Office shared drive 
within the secure DOI network and are restricted to only authorized IACB employees with a 
need-to-know to perform their official duties. The DOI [ACB website is hosted on the DOI. gov 
website with secure connections (HTTPS) to protect the personal information provided by 
individuals. Access to the DOI network requires two factor authentication as well as firewalls 
and other security controls. Computer servers in which electronic records are stored are located 
in secured DOI facilities with physical, technical and administrative levels of security to prevent 
unauthorized access to the DOI network and information assets. Security and privacy controls 
are implemented in accordance with the Federal Information Security Modernization Act of 2014 
(FISMA), the Privacy Act, OMB Circular A-130, Managing Information as a Strategic Resource, 
OMB Circular A-123, Management’s Responsibility for Internal Control, and NIST 800-53, 
Security and Privacy Controls for Federal Information Systems and Organizations. 


There is a risk that the individual may not know the uses to which their information will be put 
once it is collected. This risk is mitigated through the Privacy Act statement provided to 
individuals, publication of this privacy impact assessment, and the published DOI-24: Indian 
Arts and Crafts Board system of records notice, which provide information on the purposes and 
authorized potential uses of PII data maintained by the IACB. 


There is a risk that PII may be misused or taken out of context. This risk is mitigated by 
ensuring that data gathered in the Act tracking system is protected from unauthorized disclosure 
and maintained in the investigative file. [ACB personnel are also instructed to be careful not to 
gather or store unnecessary information about either complainants or subjects. Review of 
potential violations and responding to complainants would be difficult if not impossible without 
this information, thus it is necessary to facilitate the efficient review and resolution of alleged 
violations, to provide a factual basis for the enforcement of the IACA. 


There is a risk that information in the system will be maintained longer than necessary to achieve 
the agency's mission, or that records may not be properly destroyed. IACB records are 
unscheduled and must be treated as permanent records until assigned a disposition authority that 
is approved by the National Archives and Records Administration. The IACB is working with 
DOI records management officials on a proposed records schedule for IACBM records. Until 
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approved, IACBM records are retained as permanent records. Once approved, the risk is 
mitigated by providing extensive training on IT security, Privacy, Records and controlled 
unclassified information. This training specifically includes the proper maintenance and disposal 
of records and procedures for handling and disposal of sensitive information. 


Privacy risks are mitigated through physical, technical, and administrative safeguards. 
Information and documents pertaining to investigations in Act Tracking system are closely 
safeguarded in accordance with applicable laws, rules and policies. DOI IACB employees must 
take privacy, Federal Information Systems Security Awareness (FISSA) and records 
management training prior to being granted access to DOI information and information systems, 
and annually thereafter. 


Personnel with significant privacy responsibilities, such as law enforcement personnel, must also 
take role-based Privacy Awareness training initially and annually, to ensure an understanding of 
the responsibility to protect privacy. [ACB personnel also sign the DOI Rules of Behavior. 


Failure to protect PII or mishandling or misuse of PII may result in disciplinary actions and 
potential termination of employment, criminal, civil, and administrative penalties. 


Section 4. PIA Risk Review 


A. Is the use of the data both relevant and necessary to the purpose for which the system is 
being designed? 


Yes: Explanation 

The Act tracking system is necessary to compile information, see duplicate offenders, and track 
which cases are open and closed. The Source Directory information is necessary to compile the 
information for posting online. The Access database allows us to manage the information for all 
participants. 


O No 


B. Does this system or electronic collection derive new data or create previously unavailable 
data about an individual through data aggregation? 


O Yes: Explain what risks are introduced by this data aggregation and how these risks will be 
mitigated. 


No 
C. Will the new data be placed in the individual’s record? 


O Yes: Explanation 
No 
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. Can the system make determinations about individuals that would not be possible without 
the new data? 


O Yes: Explanation 
No 


. How will the new data be verified for relevance and accuracy? 
Not applicable. 
. Are the data or the processes being consolidated? 


O Yes, data is being consolidated. Describe the controls that are in place to protect the data 
from unauthorized access or use. 


O Yes, processes are being consolidated. Describe the controls that are in place to protect the 
data from unauthorized access or use. 


No, data or processes are not being consolidated. 
. Who will have access to data in the system or electronic collection? Indicate all that apply. 


Users 
O Contractors 
O Developers 


System Administrator 
O Other: Describe 


IACB staff with an authorized “need-to-know” are the only employees with access to the Act 
Tracking system. 


. How is user access to data determined? Will users have access to all data or will access be 
restricted? 


Only employees with an official “need-to-know” have access to the Act complaint system. All 
authorized IACB employees have access to the Source Directory system. 


Are contractors involved with the design and/or development of the system, or will they be 
involved with the maintenance of the system? 


O Yes. Were Privacy Act contract clauses included in their contracts and other regulatory 
measures addressed? 


Xx] No 
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J. Is the system using technologies in ways that the DOI has not previously employed (e.g., 
monitoring software, SmartCards or Caller ID)? 


O Yes. Explanation 
No 


K. Will this system provide the capability to identify, locate and monitor individuals? 


O Yes. Explanation 
No 


L. What kinds of information are collected as a function of the monitoring of individuals? 


The purpose of the [ACBM is to track Act violations and support the Source Directory, not to 
monitor individuals. 


M. What controls will be used to prevent unauthorized monitoring? 
Not applicable. 
N. How will the PII be secured? 


(1) Physical Controls. Indicate all that apply. 


Security Guards 

O Key Guards 

Locked File Cabinets 
Secured Facility 

Closed Circuit Television 
O Cipher Locks 
Identification Badges 

O Safes 

O Combination Locks 


Locked Offices 
O Other. Describe 


(2) Technical Controls. Indicate all that apply. 


Password 

Firewall 

O Encryption 

User Identification 

O Biometrics 

Intrusion Detection System (IDS) 
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Virtual Private Network (VPN) 

O Public Key Infrastructure (PKI) Certificates 
Personal Identity Verification (PIV) Card 
Other. Describe 


System files are stored on a restricted office shared drive within the secure DOI network. 
Access to the DOI network requires two factor authentication as well as firewalls and other 
security controls. The DOI [ACB website is hosted on the DOI.gov website with secure 
connections (HTTPS). 


(3) Administrative Controls. Indicate all that apply. 


Periodic Security Audits 

O Backups Secured Off-site 

Rules of Behavior 

Role-Based Training 

Regular Monitoring of Users’ Security Practices 

Methods to Ensure Only Authorized Personnel Have Access to PII 
O Encryption of Backups Containing Sensitive Data 

Mandatory Security, Privacy and Records Management Training 
O Other. Describe 


O. Who will be responsible for protecting the privacy rights of the public and employees? This 
includes officials responsible for addressing Privacy Act complaints and requests for 
redress or amendment of records. 


The Director, Indian Arts and Crafts Board serves as the IACBM Information System Owner and 
the official responsible oversight and management of the IACBM security and privacy controls 
and the protection of the information processed and stored by the IACBM program. The 
IACBM Information System Owner and the Information System Security Officer are responsible 
for addressing privacy rights and complaints, and ensuring adequate safeguards are implemented 
to protect individual privacy in compliance with Federal laws and policies for the data managed 
and stored within the IACBM program, in consultation with the Departmental Privacy Officer. 


P. Who is responsible for assuring proper use of the data and for reporting the loss, 
compromise, unauthorized disclosure, or unauthorized access of privacy protected 
information? 


The IACBM System Owner is responsible for the daily operational oversight and management of 
the IACBM program security and privacy controls, for ensuring to the greatest possible extent 
that data is properly managed and that access to the data has been granted in a secure and 
auditable manner. The IACBM Information Systems Owner, Information System Security 
Officer, and the program officials within the IACB are responsible for ensuring that any loss, 
compromise, unauthorized access or disclosure of the PII is reported to DOI-CIRC and 
appropriate DOI officials in accordance with Federal policy and established DOI procedures. 
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